Search in sources :

Example 6 with RangerSecurityContext

use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.

the class TestRangerServiceDefService method setup.

public void setup() {
    RangerSecurityContext context = new RangerSecurityContext();
    context.setUserSession(new UserSessionBase());
    RangerContextHolder.setSecurityContext(context);
    UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
    currentUserSession.setUserAdmin(true);
}
Also used : RangerSecurityContext(org.apache.ranger.security.context.RangerSecurityContext) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Example 7 with RangerSecurityContext

use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.

the class TestPublicAPIs method setup.

@Before
public void setup() throws Exception {
    RangerSecurityContext context = new RangerSecurityContext();
    context.setUserSession(new UserSessionBase());
    RangerContextHolder.setSecurityContext(context);
    UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
    currentUserSession.setUserAdmin(true);
}
Also used : RangerSecurityContext(org.apache.ranger.security.context.RangerSecurityContext) UserSessionBase(org.apache.ranger.common.UserSessionBase) Before(org.junit.Before)

Example 8 with RangerSecurityContext

use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.

the class RangerSSOAuthenticationFilter method doFilter.

/*
	 * doFilter of RangerSSOAuthenticationFilter is the first in the filter list so in this it check for the request
	 * if the request is from browser, doesn't contain local login and sso is enabled then it process the request against knox sso
	 * else if it's ssoenable and the request is with local login string then it show's the appropriate msg
	 * else if ssoenable is false then it contiunes with further filters as it was before sso
	 */
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
    String xForwardedURL = constructForwardableURL(httpRequest);
    if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid()) {
        synchronized (httpRequest.getServletContext()) {
            if (httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && "locallogin".equals(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString())) {
                httpRequest.getSession().setAttribute("locallogin", "true");
                httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId());
            }
        }
    }
    RangerSecurityContext context = RangerContextHolder.getSecurityContext();
    UserSessionBase session = context != null ? context.getUserSession() : null;
    boolean ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
    String userAgent = httpRequest.getHeader("User-Agent");
    if (httpRequest.getSession() != null) {
        if (httpRequest.getSession().getAttribute("locallogin") != null) {
            servletRequest.setAttribute("ssoEnabled", false);
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
    }
    // If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication
    if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL)) {
        // Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin script
        if (jwtProperties != null && !isAuthenticated()) {
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            String serializedJWT = getJWTFromCookie(httpRequest);
            // if we get the hadoop-jwt token from the cookies then will process it further
            if (serializedJWT != null) {
                SignedJWT jwtToken = null;
                try {
                    jwtToken = SignedJWT.parse(serializedJWT);
                    boolean valid = validateToken(jwtToken);
                    // if the public key provide is correct and also token is not expired the process token
                    if (valid) {
                        String userName = jwtToken.getJWTClaimsSet().getSubject();
                        LOG.info("SSO login user : " + userName);
                        String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
                        // if we get the userName from the token then log into ranger using the same user
                        if (userName != null && !userName.trim().isEmpty()) {
                            final List<GrantedAuthority> grantedAuths = new ArrayList<>();
                            grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
                            final UserDetails principal = new User(userName, "", grantedAuths);
                            final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
                            WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest);
                            ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
                            RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
                            authenticationProvider.setSsoEnabled(ssoEnabled);
                            Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
                            authentication = getGrantedAuthority(authentication);
                            SecurityContextHolder.getContext().setAuthentication(authentication);
                        }
                        filterChain.doFilter(servletRequest, httpServletResponse);
                    } else // if the token is not valid then redirect to knox sso
                    {
                        if (isWebUserAgent(userAgent)) {
                            String ssourl = constructLoginURL(httpRequest, xForwardedURL);
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("SSO URL = " + ssourl);
                            }
                            httpServletResponse.sendRedirect(ssourl);
                        } else {
                            filterChain.doFilter(servletRequest, httpServletResponse);
                        }
                    }
                } catch (ParseException e) {
                    LOG.warn("Unable to parse the JWT token", e);
                }
            } else // if the jwt token is not available then redirect it to knox sso
            {
                if (isWebUserAgent(userAgent)) {
                    String ssourl = constructLoginURL(httpRequest, xForwardedURL);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("SSO URL = " + ssourl);
                    }
                    httpServletResponse.sendRedirect(ssourl);
                } else {
                    filterChain.doFilter(servletRequest, httpServletResponse);
                }
            }
        } else // if property is not loaded or is already authenticated then proceed further with next filter
        {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    } else if (ssoEnabled && ((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent) && isAuthenticated()) {
        // If already there's an active session with sso and user want's to switch to local login(i.e without sso) then it won't be navigated to local login
        // In this scenario the user as to use separate browser
        String url = ((HttpServletRequest) servletRequest).getRequestURI().replace(LOCAL_LOGIN_URL + "/", "");
        url = url.replace(LOCAL_LOGIN_URL, "");
        LOG.warn("There is an active session and if you want local login to ranger, try this on a separate browser");
        ((HttpServletResponse) servletResponse).sendRedirect(url);
    } else // if sso is not enable or the request is not from browser then proceed further with next filter
    {
        filterChain.doFilter(servletRequest, servletResponse);
    }
}
Also used : User(org.springframework.security.core.userdetails.User) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) ArrayList(java.util.ArrayList) HttpServletResponse(javax.servlet.http.HttpServletResponse) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) SignedJWT(com.nimbusds.jwt.SignedJWT) UserSessionBase(org.apache.ranger.common.UserSessionBase) RangerAuthenticationProvider(org.apache.ranger.security.handler.RangerAuthenticationProvider) HttpServletRequest(javax.servlet.http.HttpServletRequest) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) AbstractAuthenticationToken(org.springframework.security.authentication.AbstractAuthenticationToken) RangerSecurityContext(org.apache.ranger.security.context.RangerSecurityContext) UserDetails(org.springframework.security.core.userdetails.UserDetails) Authentication(org.springframework.security.core.Authentication) WebAuthenticationDetails(org.springframework.security.web.authentication.WebAuthenticationDetails) ParseException(java.text.ParseException)

Example 9 with RangerSecurityContext

use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.

the class TestRangerBizUtil method setup.

@Before
public void setup() {
    RangerSecurityContext context = new RangerSecurityContext();
    context.setUserSession(new UserSessionBase());
    RangerContextHolder.setSecurityContext(context);
}
Also used : RangerSecurityContext(org.apache.ranger.security.context.RangerSecurityContext) UserSessionBase(org.apache.ranger.common.UserSessionBase) Before(org.junit.Before)

Example 10 with RangerSecurityContext

use of org.apache.ranger.security.context.RangerSecurityContext in project ranger by apache.

the class TestServiceDBStore method setup.

public void setup() {
    RangerSecurityContext context = new RangerSecurityContext();
    context.setUserSession(new UserSessionBase());
    RangerContextHolder.setSecurityContext(context);
    UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
    currentUserSession.setUserAdmin(true);
}
Also used : RangerSecurityContext(org.apache.ranger.security.context.RangerSecurityContext) UserSessionBase(org.apache.ranger.common.UserSessionBase)

Aggregations

RangerSecurityContext (org.apache.ranger.security.context.RangerSecurityContext)25 UserSessionBase (org.apache.ranger.common.UserSessionBase)24 XXPortalUser (org.apache.ranger.entity.XXPortalUser)8 Authentication (org.springframework.security.core.Authentication)4 HttpSession (javax.servlet.http.HttpSession)3 Before (org.junit.Before)3 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 XXPortalUserDao (org.apache.ranger.db.XXPortalUserDao)2 XXUserDao (org.apache.ranger.db.XXUserDao)2 XXAuthSession (org.apache.ranger.entity.XXAuthSession)2 XXUser (org.apache.ranger.entity.XXUser)2 Test (org.junit.Test)2 WebAuthenticationDetails (org.springframework.security.web.authentication.WebAuthenticationDetails)2 SignedJWT (com.nimbusds.jwt.SignedJWT)1 ParseException (java.text.ParseException)1 ArrayList (java.util.ArrayList)1 Calendar (java.util.Calendar)1 CopyOnWriteArrayList (java.util.concurrent.CopyOnWriteArrayList)1 PrePersist (javax.persistence.PrePersist)1